Google fixes Chrome's new zero-day flaw with a wild exploit

Google released a security update for the Chrome web browser to address the third zero-day vulnerability exploited by hackers this year.

“Google is aware that an exploit for CVE-2023-3079 exists in the wild,” reads the safety bulletin.

Exploitation details unknown

The company has not released details about how the exploit and how it was used in the attacks, limiting information to the severity of the flaw and its type.

Withholding technical information is Google’s usual position when a new security issue is discovered. This is to protect users until most of them migrate to a secure version, as adversaries could use the details to develop additional exploits.

“Access to bug details and links may be restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that others projects similarly dependent, but not yet fixed” – Google

CVE-2023-3079 has been rated as a high severity issue and it was discovered by Google researcher Clément Lecigne on June 1, 2023, and is a type confusion in V8, Chrome’s JavaScript engine responsible for running code. code in the browser.

Type confusion bugs occur when the engine misinterprets an object’s type during runtime, which can lead to malicious manipulation of memory and the execution of arbitrary code.

The first zero-day vulnerability patched by Google in Chrome this year was CVE-2023-2033which is also a type confusion bug in the V8 JavaScript engine.

A few days later, Google released an emergency security update for Chrome to fix CVE-2023-2136an actively exploited vulnerability affecting the browser’s 2D graphics library, Skia.

Zero-day vulnerabilities are often exploited by sophisticated state-sponsored threat actors, primarily targeting high-profile figures in government, the media, or other vital organizations. Therefore, it is strongly recommended that all Chrome users install the available security update as soon as possible.

In addition to fixing a new zero-day, the latest version of Chrome addresses various issues discovered during internal audits and code fuzzing scans.

Google says the update will roll out in the coming days/weeks, so it’s a gradual rollout that won’t reach everyone at once.

Update Chrome Browser

To manually initiate the process of updating Chrome to the latest version that resolves the actively exploited security issue, go to the Chrome settings menu (upper right corner) and select Help → About Google Chrome.

It is necessary to restart the application to complete the update.

chrome about

Available security updates are also automatically installed the next time the browser is started without user intervention. So check the “About” page to make sure you’re using the latest version.

The new stable channel version fixing the flaw that has an exploit in the wild is version 114.0.5735.110 for Windows and 114.0.5735.106 for Mac and Linux.


Source link